Topics

Teleport 2.4 released

Jan 10, 2018
by
Ev Kontsevoy

Today we are releasing version 2.4 of Teleport, our popular open source SSH
server. Despite the uneventful version number, this release brings a couple
exciting new features. As always, most of them have became a reality thanks to
the Teleport community.

What is Teleport?

Teleport is a modern SSH bastion server designed for teams managing distributed
infrastructure. Major benefits include certificate-based authentication which
removes the need to manage static keys, integration with SAML and OAuth2
providers, built-in bastions and advanced audit with full session recording.
You can read more about Teleport on its website or
online documentation.

This version brings three major new features to Teleport.

SSH Authentication via Github

Teleport’s Github Authentication Connector
allows users of the open source version to move away from the local user
database and use their Github credentials to SSH into their servers. This is
exciting because OAuth2 authentication has previously only been available to
Teleport Enterprise users. Now, by configuring your Teleport cluster to
authenticate against Github, administrators automatically inherit Github’s
robust 2FA features plus a single source of truth of who gets SSH access and
who does not based on Github team membership.

Session Recording, Audit and Compliance for OpenSSH

One of the
most popular Teleport features is that all SSH sessions are automatically
recorded and can be replayed later or archived for audit purposes. One can say
that a Teleport cluster is a “Youtube for SSH sessions”. However, there has
always been two things users kept asking us for:

The former is easy, there is now a switch to turn session recording off. The
latter was more complicated but we consider it a major feature request because
every large Teleport customer usually has pockets of infrastructure where
OpenSSH cannot be replaced.

Version 2.4 now supports session recording when a user connects to an OpenSSH
server via a Teleport proxy. You can read more in our blog post about how the
Recording Proxy works.

Commercial Offering for Startups and Small Businesses

When we open sourced Teleport we did not expect it to become as popular as it
did. Originally, it was just an SSH library we had built for Telekube,
our product for remotely managing Kubernetes applications on enterprise private
clouds. However, we started getting requests for the same enterprise features
(like role-based access control and SAML / OAuth2 authentication via providers
like Okta) from Teleport users who did not need Kubernetes. So, we started
offering a commercial Teleport offering (Teleport Enterprise) for large
companies with customized pricing.

Turns out, start-ups and smaller businesses also want role-based access control
(RBAC) for SSH. We’ve had numerous conversations with smaller companies who
wanted to move away from SSH keys to SSH certificates issued via Okta or Github
but didn’t need a customized enterprise contract. That is why we’ve decided to
launch a standardized and more affordable commercial Teleport edition.

Starting with 2.4 anyone can visit the Teleport Website
and sign up for Teleport Pro or Teleport Business. Users of these editions will
get the same enterprise features as large companies do, including commercial
support from Gravitational.

Upgrading

Teleport 2.4 is meant to be a drop-in replacement for 2.x series.
However, it is always recommended to make a backup of the cluster state prior
to replacing the teleport binary with a new version. The cluster state is
located in /var/lib/teleport directory for filesystem-based deployments. Users
of the etcd backend should use etcdctl backup command to accomplish this.

Thanks to Josh Donzello, Brendan Germain and other community contributors and
testers who helped us make 2.4 a reality!